move around work host config

author: Jasper Ras <jras@hostnet.nl> 2025-02-03 22:04:02 +0100
committer: Jasper Ras <jras@hostnet.nl> 2025-02-03 22:04:02 +0100
commit: 574da5b3416e2376c4ffe20a53ddb1dc2c02b6ce (patch)
tree: f52234097940d6e3b3018d777f6ecbd14384392a /configuration
parent: fa83bdc5067417e3407241b17116a560c9d86b61 (diff)
2 files changed, 193 insertions, 0 deletions
diff --git a/configuration/work/default.nix b/configuration/work/default.nix
new file mode 100644
index 0000000..ebb26f5
--- /dev/null
+++ b/configuration/work/default.nix
@@ -0,0 +1,152 @@
+{ config, pkgs, inputs, ... }:
+{
+  imports = [ ./hardware-configuration.nix ];
+
+  age.secrets.ghostnet-cert.file = ../../secrets/ghostnet-cert.age;
+  age.secrets.ghostnet-key.file = ../../secrets/ghostnet-key.age;
+  age.secrets.ghostnet-ca.file = ../../secrets/ghostnet-ca.age;
+  age.secrets.ghostnet-tls-auth.file = ../../secrets/ghostnet-tls-auth.age;
+  age.secrets.ghostnet-auth-user-pass.file = ../../secrets/ghostnet-auth-user-pass.age;
+
+  age.secrets.systems-cert.file = ../../secrets/systems-cert.age;
+  age.secrets.systems-key.file = ../../secrets/systems-key.age;
+  age.secrets.systems-ca.file = ../../secrets/systems-ca.age;
+  age.secrets.systems-tls-auth.file = ../../secrets/systems-tls-auth.age;
+
+  environment.systemPackages = with pkgs; [
+    slack
+    git-review
+    hexchat
+    apacheHttpd
+    moonlight-qt
+    brightnessctl
+    hugo
+    google-chrome
+  ];
+
+  hardware.bluetooth.enable = true;
+  hardware.bluetooth.powerOnBoot = true;
+
+  boot.loader.systemd-boot.enable = true;
+  boot.loader.efi.canTouchEfiVariables = true;
+
+  networking.hostName = "work";
+  networking.networkmanager.enable = true;
+  networking.networkmanager.dns = "systemd-resolved";
+  networking.nameservers = [ "1.1.1.1" ];
+  networking.firewall.allowedTCPPorts = [];
+
+  time.timeZone = "Europe/Amsterdam";
+
+  i18n.defaultLocale = "en_US.UTF-8";
+  i18n.extraLocaleSettings = {
+    LC_ADDRESS = "nl_NL.UTF-8";
+    LC_IDENTIFICATION = "nl_NL.UTF-8";
+    LC_MEASUREMENT = "nl_NL.UTF-8";
+    LC_MONETARY = "nl_NL.UTF-8";
+    LC_NAME = "nl_NL.UTF-8";
+    LC_NUMERIC = "nl_NL.UTF-8";
+    LC_PAPER = "nl_NL.UTF-8";
+    LC_TELEPHONE = "nl_NL.UTF-8";
+    LC_TIME = "nl_NL.UTF-8";
+  };
+
+  services.libinput.mouse.accelProfile = "flat";
+  services.libinput.mouse.accelSpeed = "-5";
+  services.upower.enable = true;
+  services.openssh.enable = true;
+  services.openvpn.servers = {
+    ghostnet = {
+      config = ''
+        client
+        remote 185.57.9.6 1194
+        cert ${config.age.secrets.ghostnet-cert.path}
+        key ${config.age.secrets.ghostnet-key.path}
+        ca ${config.age.secrets.ghostnet-ca.path}
+        auth-user-pass ${config.age.secrets.ghostnet-auth-user-pass.path}
+        reneg-sec 0
+        cipher AES-256-CBC
+        comp-lzo adaptive
+        dev tun
+        proto udp
+        remote-cert-tls server
+        tls-auth ${config.age.secrets.ghostnet-tls-auth.path} 1
+        nobind
+        auth-nocache
+        script-security 2
+        persist-key
+        persist-tun
+        user nm-openvpn
+        group nm-openvpn
+      '';
+      updateResolvConf = false;
+      autoStart = false;
+    };
+    systems = {
+      config = ''
+        client
+        remote 'vpn-v2.one.com'
+        cert '${config.age.secrets.systems-cert.path}'
+        key '${config.age.secrets.systems-key.path}'
+        ca '${config.age.secrets.systems-ca.path}'
+        cipher AES-128-CBC
+        comp-lzo adaptive
+        dev tun
+        proto udp
+        port 1200
+        remote-cert-tls server
+        tls-auth '${config.age.secrets.systems-tls-auth.path}' 1
+        nobind
+        auth-nocache
+        script-security 2
+        persist-key
+        persist-tun
+        user nm-openvpn
+        group nm-openvpn
+      '';
+      updateResolvConf = false;
+      autoStart = false;
+    };
+  };
+
+  programs.update-systemd-resolved.servers = {
+    ghostnet = {
+      includeAutomatically = true;
+      settings = {
+        routeOnlyDomains = [ "hostnetbv.nl." ];
+        defaultRoute = false;
+        multicastDNS = "no";
+        dnsOverTLS = "opportunistic";
+        dnssec = "no";
+      };
+    };
+  };
+
+  services.resolved = {
+    enable = true;
+    dnssec = "true";
+    domains = [ "~." ];
+    fallbackDns = [ "1.1.1.1" ];
+    dnsovertls = "opportunistic";
+    llmnr = "true";
+  };
+
+  services.xserver.xkb = {
+    layout = "us";
+    variant = "";
+  };
+
+  users.users.jras = {
+    isNormalUser = true;
+    description = "Jasper Ras";
+    extraGroups = [ "networkmanager" "wheel" "docker" ];
+    packages = with pkgs; [ git ];
+  };
+
+  home-manager.useGlobalPkgs = true;
+  home-manager.useUserPackages = true;
+  home-manager.users.jras = import ../../home-manager/entrypoints/work.nix;
+  home-manager.extraSpecialArgs = { inherit inputs; monitor-names = ["eDP-1" "HDMI-A-1" "DP-10"]; };
+
+  system.stateVersion = "24.05"; # Do NOT change before reading configuration.nix
+}
diff --git a/configuration/work/hardware-configuration.nix b/configuration/work/hardware-configuration.nix
new file mode 100644
index 0000000..9c8c4b1
--- /dev/null
+++ b/configuration/work/hardware-configuration.nix
@@ -0,0 +1,41 @@
+# Do not modify this file!  It was generated by ‘nixos-generate-config’
+# and may be overwritten by future invocations.  Please make changes
+# to /etc/nixos/configuration.nix instead.
+{ config, lib, pkgs, modulesPath, ... }:
+
+{
+  imports =
+    [ (modulesPath + "/installer/scan/not-detected.nix")
+    ];
+
+  boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "thunderbolt" "usb_storage" "sd_mod" ];
+  boot.initrd.kernelModules = [ ];
+  boot.kernelModules = [ "kvm-amd" ];
+  boot.extraModulePackages = [ ];
+
+  fileSystems."/" =
+    { device = "/dev/disk/by-uuid/df469cf1-1acc-4bf4-86e1-ec368e5a96a1";
+      fsType = "ext4";
+    };
+
+  boot.initrd.luks.devices."luks-0f6e3603-084c-4438-9749-36b31b6f226a".device = "/dev/disk/by-uuid/0f6e3603-084c-4438-9749-36b31b6f226a";
+
+  fileSystems."/boot" =
+    { device = "/dev/disk/by-uuid/F0E6-4DF3";
+      fsType = "vfat";
+      options = [ "fmask=0077" "dmask=0077" ];
+    };
+
+  swapDevices = [ ];
+
+  # Enables DHCP on each ethernet and wireless interface. In case of scripted networking
+  # (the default) this is the recommended approach. When using systemd-networkd it's
+  # still possible to use this option, but it's recommended to use it in conjunction
+  # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
+  networking.useDHCP = lib.mkDefault true;
+  # networking.interfaces.enp1s0f0.useDHCP = lib.mkDefault true;
+  # networking.interfaces.wlp2s0.useDHCP = lib.mkDefault true;
+
+  nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
+  hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
+}
author	Jasper Ras <jras@hostnet.nl>	2025-02-03 22:04:02 +0100
committer	Jasper Ras <jras@hostnet.nl>	2025-02-03 22:04:02 +0100
commit	574da5b3416e2376c4ffe20a53ddb1dc2c02b6ce (patch)
tree	f52234097940d6e3b3018d777f6ecbd14384392a /configuration
parent	fa83bdc5067417e3407241b17116a560c9d86b61 (diff)